So I have a WD MyCloud EX2 using openVPN to connect to a paid VPN service, but I still want to have access to my ssh,ftp, and plex ports (22,20-21,32400) from an external network using port forwarding to the local network. I'm aware I can setup port forwarding on the VPN server and my provider allows for that, but the ip always changes and I don't want to go through the VPN providers. I am able to access these ports by default when on the local network with the NAS (and when using openVPN to route into the local network), but I am unable to connect using port forwarding (it stops working once I enable the NAS VPN). I tried some basic Iptables rules such as iptables -A OUTPUT -p tcp -m tcp --dport 32400 -j AC but they do not seem to work. I've seen various posts about attempting similar things but they seemed either supeDoes anyone has any ideas on how to allow the NAS to bypass openVPN for specific ports?
Thanks
2 Answers
The problem is likely because of routing. Most likely, your VPN provider pushes routes that force your device to use the VPN server as the default gateway. Usually, it will push 0.0.0.0/1 and 128.0.0.0/1, as these two routes combined will cover the entire IPv4 address space, and still allow you to talk to your immediate upstream gateway and local network(s), as they take precedence since they have larger prefixes (e.g. /24).
This means that if your VPN client receives a packet from a host on the internet (e.g. 1.2.3.4) on its eth0 interface, for example, it will match the route 0.0.0.0/1 and get sent to your VPN server. 1.2.3.4 is not expecting a packet from your VPN server, and thus the connection fails to be established. What you want is for the reply packet to be sent out from eth0, back out the way the initial packet came in.
This can be accomplished with routing policy on the machine that is the VPN client that you need to access with port forwarding. See this similar question and the first answer: Reply on same interface as incoming?
To quote:
echo 200 isp2 >> /etc/iproute2/rt_tables
ip rule add from <interface_IP> dev <interface> table isp2
ip route add default via <gateway_IP> dev <interface> table isp2
- 522
You can set a ddns (dynamic dns) that will allow you to have a domain to your dynamic ip address, i personally use no-ip, its free, you just need to press a button every 30 days to confirm you still want the domain, its free.
You can set it o your primary router, by a client on your win machine, or from a linux server in your network.
You can setup the openvpn (if you have build it by yourself) and make it vpn type 3 with tunneling, which will make your device be on the same subnet as your devices, from every network you connect, its recommended to have a different ip address for your home network like 10.10.1.0/24 so you won't have ip addr collision when you use it.
- 168